The “Great Resignation” is still well underway, with 20 percent of UK workers anticipating they will not be with the same employer in the next 12 months, highlights Nick Schneider.
Combined with this is workers looking for new roles offerer more money in a response to the rise in the cost of living, both of which have created one of the busiest labour markets the UK has seen.
The growing number of job-seekers has also created an unprecedented opportunity for threat actors to capitalise on their searches for employment, often through social engineering scams impersonating LinkedIn, Facebook and other social networking sites which advertise job opportunities.
Beware the wolves in sheep’s clothing.
Though hackers have always used social engineering to manipulate their targets into giving up credentials or access to data, LinkedIn is currently the vector of choice across North America and the UK. Over the last six months, threat actors have taken to designing fraudulent LinkedIn login pages which they then send to targets via email, prompting unsuspecting LinkedIn users – likely job-seekers – to enter their passwords.
These phishing attempts often incorporate elements of a real LinkedIn profile, like the company logo and footer designs, to make them appear legitimate. Unfortunately, it seems to be working as LinkedIn-related social engineering scams rose 232 percent according to UK-based Egress Software. Also, a study from Check Point found that 52 percent of all global phishing attacks during Q1 2022 were LinkedIn-focused scams.
How to differentiate between the fakes and the real thing
As such, I have put together the best ways people can stay vigilant and secure against social engineering hackers when browsing for jobs online.
1. Know what to look for in a social engineering scam
While LinkedIn emails users about the latest job openings, new messages, connections and profile visits, there’s a few easy ways to differentiate a legitimate LinkedIn email from a socially engineered one. Firstly, scammers will often copy LinkedIn’s stylised logos and email templates in phishing attempts, so cross-checking a potential phish against another, certifiably legitimate LinkedIn email can often reveal small errors helping determine fraudulent communication.
2. If it is too good to be true…
It probably is. LinkedIn, and other social media platforms, are a great way to meet new friends and network with industry peers.
But, before you accept an invitation or engage with a new friend or connection, stop to consider whether it makes sense they have asked to connect.
Sure, a profile which is entirely in Russian may have a job opportunity for you, but are you able to find any other information about the person behind the profile online? If not, there is a far greater chance the person is not who they appear to be and may be trying to take advantage of your willingness to network.
3. Do not overshare
The fun of LinkedIn and other social networking sites largely lies in sharing your accomplishments and life updates with a large group of people. Most of whom are likely to congratulate you on an upcoming vacation or your new role overseeing an important part of the business.
Just as oversharing in person can lead to strained relationships, oversharing online can be a boon to scammers looking for insight into your personal life. For example, your password may be an amalgamation of birthdays, past schools and pet names, many of which people erroneously share online.. Savvy scammers will pick up on those clues to potentially brute force their way into personal accounts which were otherwise protected.
Sharing information about your role, including projects you are working on or issues you are dealing with can arm scammers with information they can then engineer into a phishing email tailored for you.
The nature of scams is cyclical, meaning hackers may eventually jump ship from LinkedIn to another website in order to scam their targets.
In the midst of a LinkedIn scam boom, however, as long as people keep looking for jobs, hackers will continue to try to take advantage of them.
But they do not have to succeed, and practicing proper security awareness and heeding the aforementioned advice is the best way to stay safe online.
_
Nick Schneider is CEO of Arctic Wolf.
